Rang Barse, Scam Na Barse: Stay Cyber-Safe This Holi 2025!

Disclaimer:

This report is based on extensive research conducted by CyberPeace Research using publicly available information, and advanced analytical techniques. The findings, interpretations, and conclusions presented are based on the data available at the time of study and aim to provide insights into global ransomware trends.

The statistics mentioned in this report are specific to the scope of this research and may vary based on the scope and resources of other third-party studies. Additionally, all data referenced is based on claims made by threat actors and does not imply confirmation of the breach by CyberPeace. CyberPeace includes this detail solely to provide factual transparency and does not condone any unlawful activities. This information is shared only for research purposes and to spread awareness. CyberPeace encourages individuals and organizations to adopt proactive cybersecurity measures to protect against potential threats.

CyberPeace Research does not claim to have identified or attributed specific cyber incidents to any individual, organization, or nation-state beyond the scope of publicly observable activities and available information. All analyses and references are intended for informational and awareness purposes only, without any intention to defame, accuse, or harm any entity.

While every effort has been made to ensure accuracy, CyberPeace Research is not liable for any errors, omissions, subsequent interpretations and any unlawful activities of the findings by third parties. The report is intended to inform and support cybersecurity efforts globally and should be used as a guide to foster proactive measures against cyber threats.

Executive Summary: 

The 2024 ransomware landscape reveals alarming global trends, with 166 Threat Actor Groups leveraging 658 servers/underground resources and mirrors to execute 5,233 claims across 153 countries. Monthly fluctuations in activity indicate strategic, cyclical targeting, with peak periods aligned with vulnerabilities in specific sectors and regions. The United States was the most targeted nation, followed by Canada, the UK, Germany, and other developed countries, with the northwestern hemisphere experiencing the highest concentration of attacks. Business Services and Healthcare bore the brunt of these operations due to their high-value data, alongside targeted industries such as Pharmaceuticals, Mechanical, Metal, Electronics, and Government-related professional firms. Retail, Financial, Technology, and Energy sectors were also significantly impacted.

This research was conducted by CyberPeace Research using a systematic modus operandi, which included advanced OSINT (Open-Source Intelligence) techniques, continuous monitoring of Ransomware Group activities, and data collection from 658 servers and mirrors globally. The team utilized data scraping, pattern analysis, and incident mapping to track trends and identify hotspots of ransomware activity. By integrating real-time data and geographic claims, the research provided a comprehensive view of sectoral and regional impacts, forming the basis for actionable insights.

The findings emphasize the urgent need for proactive Cybersecurity strategies, robust defenses, and global collaboration to counteract the evolving and persistent threats posed by ransomware.

Overview:

This report provides insights into ransomware activities monitored throughout 2024. Data was collected by observing 166 Threat Actor Groups using ransomware technologies across 658 servers/underground resources and mirrors, resulting in 5,233 claims worldwide. The analysis offers a detailed examination of global trends, targeted sectors, and geographical impact.

Top 10 Threat Actor Groups:

The ransomware group ‘ransomhub’ has emerged as the leading threat actor, responsible for 527 incidents worldwide. Following closely are ‘lockbit3’ with 522 incidents and ‘play’ with 351. Other Groups are ‘akira’, ‘hunters’, ‘medusa’, ‘blackbasta’, ‘qilin’, ‘bianlian’, ‘incransom’. These groups usually employ advanced tactics to target critical sectors, highlighting the urgent need for robust cybersecurity measures to mitigate their impact and protect organizations from such threats.

Monthly Ransomware Incidents:

In January 2024, the value began at 284, marking the lowest point on the chart. The trend rose steadily in the subsequent months, reaching its first peak at 557 in May 2024. However, after this peak, the value dropped sharply to 339 in June. A gradual recovery follows, with the value increasing to 446 by August. September sees another decline to 389, but a sharp rise occurs afterward, culminating in the year’s highest point of 645 in November. The year concludes with a slight decline, ending at 498 in December 2024 (till 28th of December).

Top 10 Targeted Countries:

1. The United States consistently topped the list as the primary target probably due to its advanced economic and technological infrastructure.
2. Other heavily targeted nations include Canada, UK, Germany, Italy, France, Brazil, Spain, and India.
3. A total of 153 countries reported ransomware attacks, reflecting the global scale of these cyber threats

Top Affected Sectors:

1. Business Services and Healthcare faced the brunt of ransomware threat due to the sensitive nature of their operations.
2. Specific industries under threats:
   1. Pharmaceutical, Mechanical, Metal, and Electronics industries.
   2. Professional firms within the Government sector.
3. Other sectors:
   1. Retail, Financial, Technology, and Energy sectors were also significant targets.

Geographical Impact:

The continuous and precise OSINT(Open Source Intelligence) work on the platform, performed as a follow-up action to data scraping, allows a complete view of the geography of cyber attacks based on their claims. The northwestern region of the world appears to be the most severely affected by Threat Actor groups. The figure below clearly illustrates the effects of this geographic representation on the map.

Ransomware Threat Trends in India:

In 2024, the research identified 98 ransomware incidents impacting various sectors in India, marking a 55% increase compared to the 63 incidents reported in 2023. This surge highlights a concerning trend, as ransomware groups continue to target India's critical sectors due to its growing digital infrastructure and economic prominence.

Top Threat Actors Group Targeted India:

Among the following threat actors ‘killsec’ is the most frequent threat. ‘lockbit3’  follows as the second most prominent threat, with significant but lower activity than killsec. Other groups, such as ‘ransomhub’, ‘darkvault’, and ‘clop’, show moderate activity levels. Entities like ‘bianlian’, ‘apt73/bashe’, and ‘raworld’ have low frequencies, indicating limited activity. Groups such as ‘aps’ and ‘akira’ have the lowest representation, indicating minimal activity. The chart highlights a clear disparity in activity levels among these threats, emphasizing the need for targeted cybersecurity strategies.

Top Impacted Sectors in India:

The pie chart illustrates the distribution of incidents across various sectors, highlighting that the industrial sector is the most frequently targeted, accounting for 75% of the total incidents. This is followed by the healthcare sector, which represents 12% of the incidents, making it the second most affected. The finance sector accounts for 10% of the incidents, reflecting a moderate level of targeting. In contrast, the government sector experiences the least impact, with only 3% of the incidents, indicating minimal targeting compared to the other sectors. This distribution underscores the critical need for enhanced cybersecurity measures, particularly in the industrial sector, while also addressing vulnerabilities in healthcare, finance, and government domains.

Month Wise Incident Trends in India:

The chart indicates a fluctuating trend with notable peaks in May and October, suggesting potential periods of heightened activity or incidents during these months. The data starts at 5 in January and drops to its lowest point, 2, in February. It then gradually increases to 6 in March and April, followed by a sharp rise to 14 in May. After peaking in May, the metric significantly declines to 4 in June but starts to rise again, reaching 7 in July and 8 in August. September sees a slight dip to 5 before the metric spikes dramatically to its highest value, 24, in October. Following this peak, the count decreases to 10 in November and then drops further to 7 in December.

CyberPeace Advisory:

1. Implement Data Backup and Recovery Plans: Backups are your safety net. Regularly saving copies of your important data ensures you can bounce back quickly if ransomware strikes. Make sure these backups are stored securely—either offline or in a trusted cloud service—to avoid losing valuable information or facing extended downtime.  
2. Enhance Employee Awareness and Training: People often unintentionally open the door to ransomware. By training your team to spot phishing emails, social engineering tricks, and other scams, you empower them to be your first line of defense against attacks.  
3. Adopt Multi-Factor Authentication (MFA): Think of MFA as locking your door and adding a deadbolt. Even if attackers get hold of your password, they’ll still need that second layer of verification to break in. It’s an easy and powerful way to block unauthorized access.  
4. Utilize Advanced Threat Detection Tools: Smart tools can make a world of difference. AI-powered systems and behavior-based monitoring can catch ransomware activity early, giving you a chance to stop it in its tracks before it causes real damage.  
5. Conduct Regular Vulnerability Assessments: You can’t fix what you don’t know is broken. Regularly checking for vulnerabilities in your systems helps you identify weak spots. By addressing these issues proactively, you can stay one step ahead of attackers.

 ‍

Conclusion:

The 2024 ransomware landscape reveals the critical need for proactive cybersecurity strategies. High-value sectors and technologically advanced regions remain the primary targets, emphasizing the importance of robust defenses. As we move into 2025, it is crucial to anticipate the evolution of ransomware tactics and adopt forward-looking measures to address emerging threats. 

Global collaboration, continuous innovation in cybersecurity technologies, and adaptive strategies will be imperative to counteract the persistent and evolving threats posed by ransomware activities. Organizations and governments must prioritize preparedness and resilience, ensuring that lessons learned in 2024 are applied to strengthen defenses and minimize vulnerabilities in the year ahead.

‍

‍

India’s Rapid Digital Expansion

‍
‍

‍

Over the past decade, India has experienced a rapid digitalisation process. The rise of digital financial services,  affordable internet costs, and the penetration of smartphones have transformed the way people communicate, transact and do business online.

Online payment systems, including Unified Payments Interface (UPI), have enabled real-time transactions between banks and financial systems. As much as these systems have enhanced access to finance and efficiency, they have also created new opportunities for cybercriminals.

Cybercrime has evolved alongside the shift of financial and social interactions to digital platforms. The fraud attacks on online payments, online banking, and personal information have become common and increasingly costly.

To analyse the scale and trend of cybercrime in India, this analysis will use the datasets released by the National Crime Records Bureau (NCRB) and financial fraud data released by the Indian Cyber Crime Coordination Centre (I4C) under the Ministry of Home Affairs.
‍

The Rise of Cybercrime in India
‍

‍

The Rise of Cybercrime in India
‍

Source: National Crime Records Bureau – Crime in India Reports

The data released by the NCRB documents cybercrime incidents registered by the police at the national level under the Information Technology Act, 2000 (IT Act) and criminal provisions covering offences such as cheating, impersonation, and digital fraud. In the past, the offences were listed in the provisions of the Indian Penal Code (IPC). Following criminal law reforms in India, on 1 July 2024, the Bharatiya Nyaya Sanhita (BNS), which replaced the IPC, came into force. Section 419 (cheating by impersonation), IPC, would be related to BNS Section 319 and Section 420 (cheating and dishonestly inducing delivery of property), which would be related to BNS Section 318(4). Similarly, crimes involving forgery and use of forged documents or electronic documents, which were previously contained in the IPC Sections 465-471, are dealt with in BNS Sections 335-340.

The data published by the NCRB represent the number of crimes that reached the point of the First Information Report (FIR) registration, meaning they reflect only cybercrime cases that were formally presented to the law enforcement system to investigate, rather than all complaints reported. The data shows that cybercrime cases increased from 27,248 in 2018 to 86,420 in 2023, a 3.17-fold increase in 5 years.

Two structural shifts are visible: the post-pandemic jump and subsequent acceleration.

However, these figures likely underestimate the true scale of cybercrime because many incidents are reported only through online complaint portals and may not result in FIR registration.
‍

The Financial Scale of Digital Fraud

‍

‍

The Financial Scale of Digital Fraud

‍

Source: Ministry of Home Affairs via,  Indian Cyber Crime Coordination Centre (I4C), and National Cyber Crime Reporting Portal (NCRP)

This dataset tracks financial fraud complaints reported through the National Cyber Crime Reporting Portal (NCRP) and the estimated financial losses associated with those complaints.

The financial losses reported between 2021 and 2024 increased by 41 times over four years, compared to 2021, from 551 crore to 22,848 crore. At the same time, the number of complaints rose from 262,846 to over 1.9 million, an increase of ~623%, indicating both rising victimisation and greater public awareness of reporting mechanisms.

The contrast between these two trends is striking:
‍

While complaints increased by around 7 times, financial losses increased by over 40 times. 

‍

‍

Distribution of Cyber-Fraud Complaints and Financial Losses by Fraud Type
‍

Source: Ministry of Home Affairs via Indian Cyber Crime Coordination Centre and National Cyber Crime Reporting Portal; analysis based on reporting in Business Standard using government cyber-fraud data.
‍

This divergence implies an uneven relationship between the number of incidents and the financial damage that they inflict. Most cyber fraud incidents involve relatively small transaction values; however, a smaller group of fraud categories result in disproportionate numbers of financial losses.
‍

‍

Distribution of Financial Losses Across Major Cyber-Fraud Categories in India

‍

Source: Ministry of Home Affairs via,  Indian Cyber Crime Coordination Centre (I4C), and National Cyber Crime Reporting Portal (NCRP) figures reported by The Indian Express
‍

As reported by The Indian Express, based on the data compiled by the I4C, investment-related scams alone account for roughly 77% of reported cyber-fraud losses, followed by smaller shares from “digital arrest” scams (8%), credit card fraud (7%), sextortion (4%), e-commerce fraud (3%), and malware or app-based fraud (1%). This distribution means that even though scams with lower values, like phishing, OTP fraud, and small payment fraud, produce a high proportion of complaints, few categories of fraud produce most of the financial losses.

‍

Analysis

‍

1. Cybercrime is expanding faster than most traditional crimes: The fact that cybercrime cases have tripled in five years shows that cyber offences are presently becoming a significant element of Indian crime. Unlike conventional crimes that require physical proximity, cybercrime can be conducted remotely and at scale, enabling perpetrators to target large numbers of victims simultaneously.

2. Financial losses are concentrated in a small set of fraud categories: As cases of cybercrimes have been on the increase, the monetary losses of digital fraud cases have been increasing at a higher rate. The fact that the number of reported financial losses has increased 40 times in 4 years indicates that cybercrime has a very high economic impact.

3. Complaint volumes and financial damage follow different patterns: When comparing complaints and financial losses, it is evident that cyber fraud losses are unevenly distributed across types of incidents. Most of the prevalent scams reported, including phishing or OTP fraud, involve relatively small transaction values but yield a high portion of complaints. Conversely, fewer categories of fraud, especially investment-based schemes, contribute a significantly higher percentage of total financial losses.

4. Digital financial infrastructure has expanded the attack surface: India’s rapid adoption of digital payment systems, mobile banking and digital  financial systems has dramatically increased the number of potential victims of cybercriminals. The scale of online transactions creates new vulnerabilities that organised cybercrime networks take advantage of.

5. Reporting improvements reveal previously hidden crime: The expansion of national reporting systems has enhanced the transparency in the trends of cybercrime. The increase in the number of complaints recorded is partially due to improved reporting systems and not necessarily to the increased criminal activity, meaning that previous data might have understated the magnitude of cyber fraud.

Recommendations
‍

1. Move from reactive policing to proactive cyber-risk monitoring: The conventional models of policing focus on investigation of crimes that have already taken place. With such a magnitude and pace of cyber fraud, India should have systems that are designed to detect and prevent the fraud at its early stages, such as real-time observation of suspicious patterns in transactions by financial institutions.

2. Strengthen financial intelligence sharing across institutions: There are a lot of instances of cyber fraud that use more than one bank, payment system, and telecommunication provider. To detect new networks of fraud sooner, it can be suggested to establish more information-sharing measures between the financial institution and law enforcement agencies.

3. Target organised cyber fraud networks rather than individual incidents: Many digital scams operate through organised networks that coordinate phishing, mule accounts, and fake payment channels. The solution in regard to this involves dismantling these networks through investigative procedures instead of treating incidents on a case-by-case basis.

4. Improve recovery mechanisms for stolen funds: The recovery of the funds lost is one of the most difficult issues in cases of cyber fraud. Expanding systems such as the Citizen Financial Cyber Fraud Reporting and Management System (CFCFRMS) can improve the speed at which fraudulent transactions are frozen or reversed.

5. Strengthen digital financial literacy: A significant percentage of cyber frauds are based on social engineering methods that take advantage of user behaviour as opposed to technical weaknesses. Victimisation can be greatly reduced through specific public awareness efforts on typical scam schemes.

Conclusion
‍

India’s experience illustrates a broader global trend: as economies digitise, crime increasingly follows the flow of digital money. While cybercrime incidents are rising steadily, the much faster growth in financial losses suggests that cybercriminals are becoming more organised, technologically sophisticated, and economically motivated.

‍

References:
‍

• https://indianexpress.com/article/india/indians-lost-rs-53000-crore-fraud-cheating-cases-six-years-maharashtra-2025-10452185/ 
• https://www.pib.gov.in/PressReleasePage.aspx?PRID=2226441&reg=3&lang=2 -
• https://www.ncrb.gov.in/crime-in-india.html 
• https://i4c.mha.gov.in/index.aspx 
• https://i4c.mha.gov.in/index.aspx 

‍

Introduction

The scam involving "drugs in parcels' has resurfaced again with a new face. Cybercriminals impersonating and acting as FedEx, Police and various other authorities and in actuality, they are the perpetrators or bad actors behind the renewed "drugs in parcel" scam, which entails pressuring victims into sending money and divulging private information in order to escape fictitious legal repercussions. 

Modus operandi  

The modus operandi followed in this scam usually begins with a hacker calling someone on their cell phone posing as FedEx. They say that they are the recipients of a package under their name that includes illegal goods like jewellery, narcotics, or other items. The victim would feel afraid and apprehensive by now. Then there will be a video call with someone else who is posing as a police officer. The victim will be asked to keep the matter confidential while it is being investigated by this "fake officer."

After the call, they would get falsified paperwork from the CBI and RBI stating that an arrest warrant had been issued. Once the victim has fallen entirely under their sway, they would claim that the victim's Aadhaar has been used to carry out the unlawful conduct. They then request that the victim submit their bank account information and Aadhaar data for investigation. Subsequently, the hackers request that the victim transfer funds to a bank account for RBI validation. The victims thus submit money to the hackers believing it to be true for clearing their name.

Recent incidence:

In the most recent instance of a "drug-in-parcel" scam, an IT expert in Pune was defrauded of Rs 27.9 lakh by internet con artists acting as members of the Mumbai police's Cyber Crime Cell. The victim filed the First Information Report (FIR) in this matter at the police station. The victim stated that on November 11, 2023, the complainant received a call from a fraudster posing as a Mumbai police Cyber Crime Cell officer. The scammer falsely claimed to have discovered illegal narcotics in a package addressed to the complainant sent from Mumbai to Taiwan, along with an expired passport and an SBI card. To avoid arrest in a fabricated drug case, the fraudster coerced the complainant into providing bank account information under the guise of "verification." The victim, fearing legal consequences, transferred Rs 27,98,776 in ten online transactions to two separate bank accounts as instructed. Upon realizing the deception, the complainant reported the incident to the police, leading to an investigation.

In another such incident, the victim received an online bogus identity card from the scammers who had phoned him on the phone in October 2023. In an attempt to "clear the case" and issue a "no-objection certificate (NOC)," the fraudster persuaded the victim to wire money to a bank account, claiming to have seized narcotics in a shipment shipped from Mumbai to Thailand under his name. Fraudsters threatened to arrest the victim for mailing the narcotics package if money was not provided. 

Furthermore, In August 2023, fraudsters acting as police officers and executives of courier companies defrauded a 25-year-old advertising student of Rs 53 lakh. They extorted money from her under the guise of avoiding legal action, which would include arrest, and informed her that narcotics had been discovered in a package she had delivered to Taiwan. According to the police, callers acting as police officers threatened to arrest the girl and forced her to complete up to 34 transactions totalling Rs 53.63 lakh from her and her mother's bank accounts to different bank accounts.

Measures to protect oneself from such scams

Call Verification: 

• Be sure to always confirm the legitimacy of unexpected calls, particularly those purporting to be from law enforcement or delivery services. Make use of official contact information obtained from reliable sources to confirm the information presented.

Confidentiality:

• Use caution while disclosing personal information online or over the phone, particularly Aadhaar and bank account information. In general, legitimate authorities don't ask for private information in this way.

Official Documentation: 

• Request official documents via the appropriate means. Make sure that any documents—such as arrest warrants or other government documents—are authentic by getting in touch with the relevant authorities.

No Haste in Transactions: 

• Proceed with caution when responding hastily to requests for money or quick fixes. Creating a sense of urgency is a common tactic used by scammers to coerce victims into acting quickly.

Knowledge and Awareness: 

• Remain up to date on common fraud schemes and frauds. Keep up with the most recent strategies employed by online fraudsters to prevent falling for fresh scam iterations.

Report Suspicious Activity: 

• Notify the local police or other appropriate authorities of any suspicious calls or activities. Reports received in a timely manner can help investigations and shield others from falling for the same fraud.

2fA:

• Enable two-factor authentication (2FA) wherever you can to provide online accounts and transactions an additional degree of protection. This may lessen the chance of unwanted access.

Cybersecurity Software: 

• To defend against malware, phishing attempts, and other online risks, install and update reputable antivirus and anti-malware software on a regular basis.

Educate Friends and Family:

• Inform friends and family about typical scams and how to avoid falling victim to fraud. A safer online environment can be achieved through increased collective knowledge.

Be skeptical

• Whenever anything looks strange or too good to be true, it most often is. Trust your instincts. Prior to acting, follow your gut and confirm the information.

By taking these precautions and exercising caution, people may lessen their vulnerability to scams and safeguard their money and personal data from online fraudsters.

Conclusion:

Verifying calls, maintaining secrecy, checking official papers, transacting cautiously, and keeping up to date are all examples of protective measures for protecting ourselves from such scams. Using cybersecurity software, turning on two-factor authentication, and reporting suspicious activity are essential in stopping these types of frauds. Raising awareness and working together are essential to making the internet a safer place and resisting the activities of cybercriminals.

 References:

• https://indianexpress.com/article/cities/pune/pune-cybercrime-drug-in-parcel-cyber-scam-it-duping-9058298/#:~:text=In%20August%20this%20year%2C%20a,avoiding%20legal%20action%20including%20arrest.
• https://www.the420.in/pune-it-professional-duped-of-rs-27-9-lakh-in-drug-in-parcel-scam/
• https://www.newindianexpress.com/states/tamil-nadu/2023/oct/16/the-return-of-drugs-in-parcel-scam-2624323.html
• https://timesofindia.indiatimes.com/city/hyderabad/2-techies-fall-prey-to-drug-parcel-scam/articleshow/102786234.cms